UPDATES ON CYBERSECURITY, WORDPRESS AND WHAT WE’RE COOKING IN THE LAB TODAY.

Yes, You Should Probably Have A TLS Certificate

This entry was posted in General Security, WordPress Security on September 18, 2018 by Mikey Veenstra 9 Replies

Last week’s article covering the decision to distrust Symantec-issued TLS certificates generated a great response from our readers. One common question we received, and one that pops up just about any time SSL/TLS comes up, is how to determine when a site does and does not need such a certificate. Spoiler: Your site should probably have a TLS certificate.

A subject of some discussion in the web community surrounds the use of TLS certificates and the implementation of HTTPS that these certificates allow. While their use is critical on sites where sensitive data from visitors may be involved, like payment data or other personally identifiable information (PII), the debate concerns the use of HTTPS in cases where users aren’t providing sensitive input. In today’s post, we’ll take a practical look at the difference between HTTP and HTTPS traffic, and discuss the benefits of being issued a certificate regardless of the way users interact with your site.

What’s TLS? Is It Different From SSL?

Before we really dig in, let’s clear up some terminology for anyone who might be unfamiliar.

HTTPS (short for Hypertext Transfer Protocol Secure) allows for the secure transmission of data, especially in the case of traffic to and from websites on the internet. The security afforded by HTTPS comes from the implementation of two concepts, encryption and authentication. Encryption is a well-known concept, referring to the use of cryptographyto communicate data in a way that only the intended recipient can read. Authentication can mean different things based on context, but in terms of HTTPS it means verification is performed to ensure the server you’re connecting to is the one the domain’s owner intended you to reach. The authentication portion of the transaction relies on a number of trusted sources, called Certificate Authorities (CA for short). When a certificate is requested for a domain name, the issuing CA is responsible for validating the requestor’s ownership of that domain. The combination of validation and encryption provides the site’s visitors with assurance that their traffic is privately reaching its intended destination, not being intercepted midway and inspected or altered.

TLS, or Transport Layer Security, is the open standard used across the internet to facilitate HTTPS communications. It’s the successor to SSL, or Secure Sockets Layer, although the name “SSL” has notoriously picked up common usage as an interchangeable term for TLS despite it being a deprecated technology. In general when someone brings up SSL certificates, outside of the off chance they’re literally referring to the older standard, they’re probably talking about TLS. It’s a seemingly minor distinction, but it’s one we hope will gain stronger adoption in the future.

I Shouldn’t Use TLS Unless I Really Need To, Right?

There’s no shortage of conflicting advice across the web regarding when to implement TLS and when to leave a site insecure, so it’s no surprise that a lot of strong opinions develop on both sides of the issue. Outside of cut-and-dry cases like PCI compliance, where payment transactions need to be secure to avoid a policy violation, you’ll find plenty of arguments suggesting cases where the use of TLS is unnecessary or even harmful to a website. Common arguments against the wide use of TLS tend to fall into two general categories: implementation and performance.

Concerns about implementation difficulties with TLS, like the cost of purchasing a certificate, difficulty in setting up proper HTTPS redirects, and compatibility in general are common, but are entirely manageable. In fact, TLS has never been more accessible. Let’s Encrypt, a free certificate issuer which launched in early 2016, has issued just under two-thirds of the active TLS certificates on the internet at the time of this writing. Following the flood of free certificates into the marketplace, many popular web hosting companies have begun allowing Let’s Encrypt certificates to be installed on their hosted sites, or are at least including their own certificates for free with their hosting. After all, site owners are more security-conscious now than ever, and many will happily leave a host if TLS is a cost-prohibitive endeavor.

Other pain points in the implementation of HTTPS, like compatibility with a site’s existing application stack, are no different than the pain points you’d see following other security best practices. Put simply, avoiding the use of HTTPS because your site will break is the same as avoiding security updates because your site will break. It’s understandable that you might delay it for a period of time so you can fix the underlying issue, but you still need to fix that issue.

The other arguments against widespread TLS are those of performance concerns. There’s certainly overhead in play, considering the initial key exchange and the processing necessary to encrypt and decrypt traffic on the fly. However, the efficiency of any system is going to depend heavily on implementation. In the case of most sites, the differences in performance are going to be negligible. For the rest, there’s a wealth of information available on how to fine-tune an environment to perform optimally under TLS. As a starting point, I recommend visiting Is TLS Fast Yet? to learn more about the particulars of this overhead and how best to mitigate it.

My Site Doesn’t Take Payments, So Why Bother?

Each debate ultimately hinges on whether the site owner sees value in HTTPS in the first place. A lot of the uncertainty in this regard can be traced to unfamiliarity with the data stored in HTTP requests, as well as the route that these requests travel to reach their destination. To illustrate this, let’s take a look at the contents of a typical WordPress login request.

The request contains a number of interesting pieces of information:

The full URL of the destination, including domain and file path

User-Agent details, which describe my browser and operating system

My referer, which reveals the page I visited prior to this one

Any cookies my browser has stored for this site

The POST body, which contains the username and password I’m attempting to log in with

The implications of this request falling into the wrong hands should be immediately recognizable in the fact that my username and password are plainly visible. Anyone intercepting this traffic can now establish administrative access to my site.

Contrast this with the same request submitted via HTTPS. In an HTTPS request, the only notable information left unencrypted is the destination hostname, to allow the request to get where it needs to go. As far as any third party is concerned, I’m sending this request instead:

Outside of examples as obvious as login security, the thing to keep in mind above all is the value of privacy. If a site’s owner hasn’t installed a TLS certificate, even though the site is purely informational and takes no user input, any traffic to that site can be inspected by the user’s ISP, or even the administrator of the network they’re connected to. This is notably problematic in certain cases, like when someone might be researching private medical or legal matters, but at the end of the day the content of a site is irrelevant. Granted, my hat probably contains a bit more tinfoil than most, but there’s no denying this is an era where browsing habits are tracked wherever possible. Real examples exist of ISPs injecting advertising into unencrypted traffic, and the world has a nonzero number of governments happy to inspect whatever traffic they can get their hands on. Using HTTPS by default shows your site’s users that their privacy is important to you, regardless of whether your site contains anything you might consider private.

Conclusion

The internet at large is rapidly adopting improved security standards, and the majority of web traffic is now being delivered via HTTPS. It’s more important than ever to make sure you’re providing your users with the assurance that their traffic is private, especially with HTTP pages being flagged as “Not Secure” by popular browsers. Secure-by-default is a great mindset to have, and while many of your users may never notice, the ones who do will appreciate it.

Interested in learning more about secure networking as it pertains to WordPress? Check out our in-depth lesson, Networking For WordPress Administrators. It’s totally free, you don’t even need to give us an email address for it. Just be sure to share the wealth and help spread the knowledge with your peers, either by sharing this post or giving them the breakdown yourself. As always, thanks for reading!

THE IOT’S PERPLEXING SECURITY PROBLEMS

Worldwide spending on the Internet of Things will total nearly US$773 billion this year, IDC has predicted.

The IoT will sustain a compound annual growth rate of 14.4 percent, and spending will hit $1.1 trillion by 2021, according to the firm’s forecast late last year.

Consumer IoT spending will total $62 billion this year, making it the fourth largest industry segment, after manufacturing, transportation and utilities. The leading consumer use cases will be related to the smart home, including home automation, security and smart appliances, IDC said.

Cross-industry IoT spending, which encompasses connected vehicles and smart buildings, will gobble up $92 billion this year, and will be among the top areas of spending for the next three years.

IoT growth will get a boost from new approaches coming from firms such as China’s Tuya Smart, for example, which combines hardware access, cloud services, and app development in a process that lets manufacturers transform standard products into smart products within one day.

Shadow IoT Devices on Enterprise Networks

One third of companies in the U.S., the UK and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a recent Infoblox survey of 1,000 IT directors across the U.S., the UK, Germany and the UAE.

The reported shadow IoT devices included the following:

Fitness trackers – 49 percent;

Digital assistants such as Amazon Alexa and Google Home – 47 percent;

Smart TVs – 46 percent;

Smart kitchen devices such as connected microwaves – 33 percent; and

Gaming consoles – 30 percent.

There were 1,570 identifiable Google Home assistants deployed on enterprise networks in the U.S. as of March, according to the Infoblox survey. There were 2,350 identifiable smart TVs deployed on enterprise networks in Germany, and nearly 6,000 identifiable cameras deployed on UK enterprise networks.

Shadow IoT devices are devices connected to the company network but not purchased or managed by the IT department, according to Infoblox.

“Often IoT devices are added to the network without the direct knowledge of IT,” noted Bob Noel, director of strategic relationships and marketing for Plixer.

“Companies need to pay attention to the deployment of IoT devices, which are regularly put online with default passwords, legacy code riddled with known vulnerabilities, and a lack of defined policies and procedures to monitor them, leaving companies extremely vulnerable,” he told the E-Commerce Times.

More than 80 percent of organizations surveyed said security was the top consideration in IoT purchase decisions, said Brent Iadarola, VP of mobile & wireless communications at Frost & Sullivan.

However, “the unfortunate reality today is that unknown assets and unmanaged networks continue to exist in enterprise networks and are often overlooked by vulnerability scanners and solutions that monitor network changes,” he told the E-Commerce Times.

Still, “we have started to see some movement towards integrated IoT security solutions that offer end-to-end data collection, analysis and response in a single management and operations platform,” Iadarola noted.

Security for the IoT

“IoT security is highly fragmented and many devices are vulnerable,” observed Kristen Hanich, research analyst at Parks Associates.

“There are a large number of devices out there with known weaknesses that can easily be exploited by commonly available attacks,” she told the E-Commerce Times.

Most of these devices won’t receive protective updates, Hanich said, and “as most IoT devices are put in place for years or even decades, this will lead to hundreds of millions of vulnerable devices.”

Cybercriminals have been launching newer and more creative attacks on IoT devices, either to compromise them or to leverage them in botnets.

For example, Wicked — the latest version of the Mirai botnet malware, originally released in 2016 — leverages at least three new exploits.

A new version of the “Hide-and-Seek” botnet, which controls more than 32,000 IoT devices, uses custom-built peer-to-peer communication and multiple anti-tampering techniques, according to BitDefender.

“We should be preparing ourselves for many years of attacks powered by IoT botnets,” Sean Newman, director of product management for Corero Security, told the E-Commerce Times.

Cost is a problem with IoT security, Parks Associates’ Hanich noted. “Security must be built-in from the onset, which takes time and effort. It also requires regular maintenance and updates after selling the devices, potentially for many years.”

Many device makers are skipping security to keep their prices down, she pointed out, as security “does not drive unit sales of their products.”

Medical Devices and IoT Security

The IoT’s healthcare component includes connected medical devices and consumer wearables such as smartwatches and fitness trackers.

However, “they also introduce new cybersecurity vulnerabilities that could affect clinical operations and put patient care at risk,” he told the E-Commerce Times.

“The perceived risk from connected medical devices within the hospital is high, but steps are now being taken to prevent attacks,” said Frost’s Shah. “Still, there’s lots to be done.”

The risk to enterprise networks of being hacked through consumer healthcare-related devices “isn’t a big issue,” according to Greg Caressi, global business unit leader for transformational health at Frost & Sullivan.

“Personal devices are not commonly connected to private corporate networks other than healthcare IT vendors,” he told the E-Commerce Times.

Google and Apple have been leading the charge of smart devices into the healthcare realm, with other companies, such as fitness device manufacturers, following suit.

CRYPTOHACKERS BREACH STATCOUNTER TO STEAL BITCOINS

Hackers planted malware on StatCounter to steal bitcoin revenue from Gate.io account holders, according to Eset researcher Matthieu Faou, who discovered the breach.

The malicious code was added to StatCounter’s site-tracking script last weekend, he reported Tuesday.

The malicious code hijacks any bitcoin transactions made through the Web interface of the Gate.io cryptocurrency exchange. It does not trigger unless the page link contains the “myaccount/withdraw/BTC” path.

The malicious code secretly can replace any bitcoin address that users enter on the page with one controlled by the attacker. Security experts view this breach as critical because so many websites load StatCounter’s tracking script.

“This security breach is really important considering that — according to StatCounter — more than 2 million websites are using their analytics platform,” Faou told TechNewsWorld. “By modifying the analytics script injected in all those 2 million websites, attackers were able to execute JavaScript code in the browser of all the visitors of these websites.”

Limited Target, Broad Potential

The attack also is significant because it shows increased sophistication among hackers regarding the tools and methods they use to steal cryptocurrency, noted George Waller, CEO of BlockSafe Technologies.

Although this form of hijacking is not a new phenomenon, the way the code was inserted was.

The growth of the cryptocurrency market and its emerging asset class has led hackers to increase their investments in devising more robust attempts and methods to steal it. The malware used is nothing new, but the method of delivering it is.

“Since the beginning of 2017, cryptocurrency exchanges suffered over (US)$882 million in funds stolen through targeted attacks across at least 14 exchanges. This hack adds one more to the list,” Waller told TechNewsWorld.

In this instance, attackers chose to target the users at Gate.io, an important cryptocurrency exchange, said Eset’s Faoul. When a user submitted a bitcoin withdrawal, attackers in real time replaced the destination address with an address under their control.

Attackers were able to target Gate.io by compromising a third-party organization, a tactic known as a “supply chain attack.” They could have targeted many more websites, Faoul noted.

“We identified several government websites that are using StatCounter. Thus, it means that attackers would have been able to target many interesting people,” he said.

Telling Financial Impact

Gate.io customers who initiated bitcoin transactions during the time of the attack are most at risk from this breach. The malware hijacked transactions legitimately authorized by the site user by changing the destination address of the bitcoin transfers, according to Paige Boshell, managing member of Privacy Counsel.

As a rule, the number of third-party scripts, such as StatCounter, should be kept to a minimum by webmasters, as each represents a potential attack vector. For exchanges, additional confirmations for withdrawals would have been beneficial in this case, given that the exploit involved swapping the user’s bitcoin address for that of the thieves.

“Gate.io has taken down StatCounter, so this particular attack should be concluded, Boshell told TechNewsWorld.

The extent of the loss and the fraud exposure for this breach is not yet quantifiable. The attackers used multiple bitcoin addresses for the transfers, Boshell added, noting that the attack could have been deployed to impact any site using StatCounter.

Protection Strategies Not Foolproof

StatCounter needs to improve its own code audit and constantly check that only authorized code is running on its network, suggested Joshua Marpet, COO at Red Lion. However, most users will not realize that StatCounter is at fault.

“They’ll blame Gate.io, and anything could happen — loss of business, run on the bank,’ and even closing their doors,” he told TechNewsWorld.

Checking the code is not always a workable prevention plan. In this case, the malware code looked like the Gate.io user’s own instructions, noted Privacy Counsel’s Boshell.

“It was not easily detectable by the fraud tools that Gate.io uses to protect against and detect malware,” she said.

Network admins are not really affected in this type of breach, as the malicious code is processed at the workstation/laptop rather than on the webserver, according to Brian Chappell, senior director of enterprise and solutions architecture at BeyondTrust. It also does not provide any mechanism to gain control over the system.

“In essence, a lot of stars need to line up to make this a significant risk in that regard,” he told TechNewsWorld. “Effective vulnerability and privilege management would naturally limit the impact of any intrusion.”

That is a direction that admins need to look. There is nothing they can do to control the initial attack, assuming the targeted websites are accepted sites within their organization, Chappell added.

Even a well-protected website can be breached by compromising a third-party script, noted Eset’s Faou.

“Thus, webmasters should choose carefully the external JavaScript code they are linking to and avoid using them if it is not necessary,” he said.

One potential strategy is to screen for scripts that replace one bitcoin address with another, suggested Clay Collins, CEO of Nomics.

Using analytics services that have a good security reputation is part of that, he told TechNewsWorld.

“Folks with ad/script blockers were not vulnerable,” Collins said.

More Best Practices

Traffic analysis, website scanning and code auditing are some of the tools that could have detected that something was causing abnormal transactions and traffic, noted Fausto Oliveira, principal security architect at Acceptto. However, it would have been ideal to prevent the attack in the first place.

“If the Gate.io customers had an application that requires strong out-of-band authentication above a certain amount, or if a transaction is aimed at an unknown recipient, then their customers would have had the opportunity to block the transaction and gain early insight that something wrong was happening,” Oliveira told TechNewsWorld.

Using script blocking add-ons like NoScript and uBlock/uMatrix can put a measure of personal control in the website user’s hands. It makes Web browsing more challenging, noted Raymond Zenkich, COO of BlockRe.

“But you can see what code is being pulled into a site and disable it if it is not necessary,” he told TechNewsWorld.

“Web developers need to stop putting third-party scripts on sensitive pages and put their responsibility to their users over their desire for advertising dollars, metrics, etc.,” Zenkich said.

Beware Third-Party Anythings

As a rule, the number of third-party scripts should be kept to a minimum by webmasters, suggested Zenchain cofounder Seth Hornby, as each one represents a potential attack vector.

“For exchanges, additional confirmations for withdrawals would also be beneficial in this case, given that the exploit involved swapping the user’s bitcoin address for that of the thieves,” he told TechNewsWorld.

Even third-party outsourcing solutions can open the door to cyber shenanigans, warned Zhang Jian, founder of FCoin.

“So many companies within the cryptocurrency space rely on third-party companies for different duties and tasks. The ramification of this outsourcing is a loss of accountability. This puts many companies in a tough spot, unable to locate attacks of this nature before it is too late,” he told TechNewsWorld.

Instead, network admins should work toward creating in-house versions of their tools and products, from beginning to end, Jian suggested, to ensure that control of these security measures lies within their reach.

FORMER WHITE HOUSE CIO THERESA PAYTON: ‘THERE ARE GRAVE CONCERNS ABOUT ELECTION INTERFERENCE’

heresa Payton, CEO of Fortalice Solutions, is one of the most influential experts on cybersecurity and IT strategy in the United States. She is an authority on Internet security, data breaches and fraud mitigation.

She served as the first female chief information officer at the White House, overseeing IT operations for President George W. Bush and his staff.

With the U.S. midterm elections fast approaching, both Payton’s observations about the current cybersecurity threat level and her advice about shoring up the nation’s defenses carry special weight.

In this exclusive interview, she also shares her views on social networking, privacy, and the changing playing field for women who aspire to leadership roles in technology.

TechNewsWorld: What is the chief cyberthreat to the upcoming midterm elections?

Theresa Payton: My biggest worry and concern is that citizens will not trust election results and that the election process will lose legitimacy. We know that the Department of Homeland Security, working with state election officials, have raced against the clock to secure voting systems. Our U.S. intelligence agencies have repeatedly been on the record stating there is no evidence that cybercriminals modified or deleted any votes in 2016.

The next area of concern is for the communications, contacts, and digital campaigns of candidates being broken into and doxed. While the news focuses on securing the votes and the voter databases of the midterm elections, there is not a lot of attention on whether or not campaigns take threats targeting their campaigns seriously. Nothing would hit closer to home for a candidate than if their election was hacked and they lost — or won.

“Cyber” is certainly a buzzword, but it’s not a word without meaning. With the onslaught of breaches, candidates should be laser-focused on cybersecurity.

TNW: What should federal officials do to shore up election security? What should state and local governments do? Where does the buck stop?

Payton: It’s crucial that elected officials on the left and right not politicize an issue in the short term that will have grave long-term consequences for national security.

Defensively, we need to harden our election infrastructure at the local level. This is the responsibility of the Department of Homeland Security.

DHS needs to continue to work at the local level with state election officials, but also to provide much more robust cybersecurity capabilities for protection and detection at the campaign level.

We also need to be sure that the intelligence and homeland security community is effectively sharing information and tools, techniques and tactics.

TNW: How serious are concerns that election interference might be caused by tampering with back-end election systems? What can federal agencies do to address the problems of outdated voting equipment, inadequate election-verification procedures, and other potential vulnerabilities? Is there an argument to be made for some level of mandatory federal oversight of state and local voter systems?

Payton: There are grave concerns about election interference and the race to secure them, globally, is under way. The idea that voter databases could be seeded with falsified data or modified has been around for decades, but the technical know-how and motive has caught up with that idea. Election officials in a race towards automation and efficiency may have helped criminals along, but it’s not too late if we act now.

Today, there are entire countries totally relying on electronic voting: Brazil, since 2000, has employed electronic voting machines, and in 2010 had 135 million electronic voters. India had 380 million electronic voters for its Parliament election in 2004.

It is easy to see why electronic voting is the wave of the future and how the United States could model its own voting system after these countries. It’s faster, cheaper and more accessible for those with disabilities. Also, would you miss the experience of, or the reporting of, the every-election-day headline of “Long Lines at the Polls Today”? Probably not. That is certainly less painful than a recount though.

We are headed towards electronic voting as the sole system we use despite these facts:

“The U.S. intelligence community developed substantial evidence that state websites or voter registration systems in seven states were compromised by Russian-backed covert operatives prior to the 2016 election — but never told the states involved, according to multiple U.S. officials,” NBC News reported earlier this year.

Russia hacked the Democratic National Committee’s emails with the intention to “interfere with the U.S. election process,” according to the director of national intelligence, James R. Clapper Jr., and the Department of Homeland Security.

As far as we know, despite the scans and alarm bells, no outside entity has changed any records in the registration database.

Scams such as “text your vote” were more prevalent than ever, and will increase as electronic voting becomes more widespread.

The good news is our government took this very seriously. Prior to the midterm elections, the Department of Homeland Security offered state election officials “cyber hygiene scans” to remotely search for vulnerabilities in election systems. They also conducted threat briefings and onsite reviews, as well as released a memo of “best practices” — guidance how best to secure their voter databases.

Some have called for more federal oversight and moving towards a more restrictive security model, but the states own the voting process. Providing year-round briefings from DHS, FBI, CIA, and NSA would prove to be very helpful over time.

Also, we have to remember elections are decentralized. Sometimes there is security in obscurity. Each state in our country, plus the District of Columbia, run their own election operations, including voter databases. A hostile nation state could not feasibly wipe out each system with one wave of their magic wand.

How we vote, though, is just one-way our elections could be compromised. Another concern going forward must be disruption of Internet traffic, as we saw occurred just days before the last presidential election cycle on Oct. 21st, 2016, when the Mirai botnet crippled part of the Internet for hours.

A massive Distributed Denial of Service (DDoS) attacked a host server causing major disruptions to some of the most highly visited websites in the United States. The attack was in two waves, first on the East Coast and then on the West Coast.

As our country votes on Election Day in different time zones, and polling stations close at different times, the similarity is chilling.

However, we need everyone to turn out to vote. The focus on bolstering our election security defenses is reassuring. What we know is the warning signs are there. As we move towards the future, and focus on creating and protecting a new system to collect our votes, we need to protect the one we already have.

Two things you can be sure of after this year’s election: Eventually, every vote you cast in a United States election will be electronic, and one of those elections will be hacked. No doubt about it. But the recount in 2016 in Wisconsin reminds us all why we need a backup.

TNW: What are some ways candidates and campaigns can shore up their cybersecurity without draining their war chests? What are some of the practices they should implement in the very early days? A campaign that’s very secure ultimately might lose due to lack of visibility. How can campaigns strike the right balance?

Payton: Never before have campaigns collected so much essential information that would be lucrative to so many cybercriminals. Credit card numbers, bank account information, addresses, online identities. The assets go on and on, and cybercriminals are just like bank robbers in the old days: They follow the money.

That is why in today’s day and age, if you are on a campaign, whether it be state, national or local, you need to be as vigilant about protecting data as any business. Otherwise, you will lose your customers — also known as constituents and voters.

Anyone on a tight budget can follow these guidelines to protect their campaign assets:

Make it as hard as possible on cybercriminals by separating donor information details onto a completely separate domain name with separate user IDs and passwords from the campaign. For example, your campaign domain might be VoteSallySue.com, but donor details would be stored at MustProtectDetails.com.

Using that same practice, run all of your internal communications on a domain name that’s not the campaign name — i.e., email addresses should not be [email protected] but rather [email protected] Increase the level of protection for internal messages by using encrypted messaging platforms for internal communications, such as Signal or Threema.

Also, be sure to encrypt all of your campaign’s donor data. We have yet to hear a report of a campaign’s donor data being hacked and used for identity theft, but we will — of that I am sure. It would be too lucrative not to try. Once it is hacked, it will be hard to restore confidence in your operation. Just ask any major retailer, bank or organization who has recently been hacked, and they will tell you. I don’t even need to use their names, you know the headlines.

Train technology and campaign staff to spot spearphishing emails and scams. Oh, sure, you think everyone knows not to “click on that link,” but recent studies illustrate doing just that is the No. 1 cause of breaches among employees.

Another safeguard that raises the bar in terms of security is implementing two-factor authentication wherever feasible. When you use a platform that employs two-factor authentication, don’t you feel safer? Possibly annoyed, as well, but certainly reassured that the extra step has been taken to secure your data. Don’t you want the electorate to feel the same way?

Finally, post a privacy policy that’s easy to read, easy to find, and you’ll find voters have more confidence in just your agenda.

TNW: How well — or poorly — have Facebook, Twitter, Google and other tech companies addressed the problems that surfaced in 2016?

Payton: I was encouraged to hear that with less than three weeks to go for the U.S. mid-terms, that Facebook has stood up a war room to combat social media community manipulation as the world heads into elections this fall and winter.

They have also said they have war-gamed a number of scenarios to ensure their team is better prepared for elections around the globe. Much is at stake, so the fact that Facebook also integrated the apps they have acquired — such as WhatsApp and Instagram — into the mix of the war room is a great idea.

If I were to give them advice, I would suggest that another great step to take would be to create a way to physically embed representatives from law enforcement, other social media companies — including Twitter, Linkedin and Google — and to allow election officials around the globe to have a “red phone” access to the war room.

TNW: What are some of the most pressing cybersecurity problems facing social networks, apart from their use as political tools?

Payton: The ability to change their business and moderator models, in real time, to morph quickly to shut down fake personas, fake ads, and fake messaging promoting political espionage, even if it means higher expenses and loss of revenue. Social media companies have made a lot of progress since the 2016 presidential elections and claims of global-wide election meddling, but the criminals have changed tactics and it’s harder to spot them.

On the heels of the August 2018 news that Microsoft seized six domains that Russian Internet trolls planned to use for political espionage phishing attacks around the same time that Facebook deactivated 652 fake accounts and pages tied to misinformation campaigns, Alex Stamos, the former Facebook security chief, posted an essay in Lawfare, and stated that it was “too late to protect the 2018 elections.”

TNW: What role should the government play in protecting citizens’ privacy online?

Payton: As the Internet evolves, laws and regulations must change more rapidly to reflect societal issues and problems created by new types of behavior taking place online. Never before has the world had access to statements, pictures, video and criticism by millions of individuals who are not public figures.

The Internet provides us with places to document our lives, thoughts and preferences online, and then holds that material for an indefinite period of time — long after we might have outgrown our own postings.

It also provides places where we can criticize our bosses, local building contractors, or polluters.

This digital diary of our lives leaves tattered pages of our past that we may forget about because we cannot see them, but they could be collected, collated, and used to judge us or discriminate against us without due process. The government needs to think ahead and determine which laws need to be enacted to protect our right to opt in and out of privacy features and to own our digital lives and footprints.

TNW: What is your opinion of Europe’s “right to be forgotten” law? Do you think a similar law would make sense in the United States?

Payton: The European Union’s “right to be forgotten” sets an interesting precedent, not just for its member countries but for citizens around the world. It is too early to know what the long-term impacts of the EU’s decision to enforce a “right to be forgotten” with technology companies will be. However, it’s a safe bet the law will evolve and not disappear.

There are concerns that giving you or organizations more control of their Internet identity, under a “right to be forgotten” clause, could lead to [censorship] of the Internet. Free-speech advocates around the globe are concerned that the lack of court precedent and the gray areas of the EU law could lead to pressure for all tech companies to remove results across the globe, delinking news stories and other information upon an individual’s request.

A quick history lesson of how this law came about: A Spanish citizen filed a complaint with Spain’s Data Protection Agency and indicated that Google Spain and Google Inc. had violated his privacy rights by posting an auction notice that his home was repossessed. The matter was resolved years earlier but since “delete is never really delete” and “the Internet never forgets,” the personal data about his financial matters haunted his reputation online.

He requested that Google Spain and Google Inc. be required to remove the old news so it would not show up in search engine results. The Spanish court system reviewed the case and referred it to the European Union’s Court of Justice.

Here is an excerpt of what the May 2014 ruling of the EU Court said:

“On the ‘Right to be Forgotten’: Individuals have the right — under certain conditions — to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing… . A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual’s private life and the interest of the public in having access to that information. The role the person requesting the deletion plays in public life might also be relevant.”

In the U.S., implementing a federal law might be tempting, but the challenge is that the ability to comply with the law will be complex and expensive. This could mean that the next startup will be crushed under compliance and therefore innovation and startups will die before they can get launched.

However, we do need a central place of advocacy and a form of a consumer privacy bill of rights. We have remedies to address issues but it’s a complex web of laws that apply to the Internet. Technology changes society faster than the law can react, so U.S. laws relating to the Internet will always lag behind.

We have a Better Business Bureau to help us with bad business experiences. We have the FTC and FCC to assist us with commerce and communications. Individuals need an advocacy group to appeal to, and for assistance in navigating online defamation, reputational risk, and an opportunity to scrub their online persona.

TNW: What is your attitude toward social networking? What’s your advice to others regarding the trustworthiness of social networks?

Payton: Social networking can offer us amazing ways to stay in touch with colleagues, friends and loved ones. It’s a personal decision as to how involved you are online, how many platforms you interact with, and how much of your life that you digitally record or transact online.

If you want to be on social media but don’t want to broadcast everything about you, I tell my clients to turn off location tracking — or geolocation tools — in social media. That way you aren’t “checking in” places. Cybercriminals use these check-ins to develop your pattern of life and to track your circle of trust. If a cybercriminal has these two patterns, it makes it easier for them to hack your accounts.

Register for an online service that will give you a phone number, such as Google Voice or Talkatone. Provide that number on social media and forward it to your real cellphone. Avoid personality surveys and other surveys — they are often very fun to do, but the information posted often gives digital clues to what you may use for your password.

Always turn on two-factor authentication for your accounts, and tie your social media accounts to an email address dedicated to social media. Turn on alerts to notify you if there is a login that is outside your normal login patterns.

The amount of personal information you choose to share is up to you — and everyone has to find that limit of what is too much — but at the very least, never give out personally identifiable information like your address, DOB, financial information, etc.

TNW: As the first woman to serve in the role of CIO at the White House, under President George W. Bush, how did you feel about becoming an instant role model for girls and young women interested in tech careers?

Payton: It’s an honor to think about the opportunity to give back and to help along anyone that wants to pursue this career path, especially young women. Candidly, we need everyone to fight the good fight. My heart breaks when I see computer and engineering classes with very few women in them.

We did not reach out to the women early enough, and when I talk to young women in high school and college about considering cybersecurity as a career, many of then tell me that since they have had no prior exposure they are worried about failing, and that it’s “too late now to experiment.” To which I tell them that it’s always a great time to experiment and learn new things!

Prior to taking on the role at the White House, I had been very active in women in technology groups and was passionately recruiting young women to consider technology careers. At the time I was offered the role and accepted, I candidly didn’t have an immediate aha moment about being a role model for women because of that specific job. I was most focused on making sure the mission was a success. I see it now and it’s an honor to be able to be a role model and I strive to live up to that expectation.

The cybersecurity industry can do more to help women understand the crucial role that cybersecurity professionals play that make a difference in our everyday lives. Unfortunately, hackers, both ethical and unethical, are often depicted as men wearing hoodies over their faces, making it difficult for women to picture themselves in that role as a realistic career choice, because they don’t think they have anything in common with hackers.

Studies show that women want to work in professions that help people — where they are making a difference. When you stop a hacker from stealing someone’s identity, you’ve made a difference in someone’s life or business. At the end of the day, the victims of hackers are people, and women can make a tremendous difference in this field. This is something the industry as a whole needs to do a better job of showing women.

TNW: You’re now the CEO of a company in the private sector. Can you tell us a little about what Fortalice Solutions does, its mission, and your priorities in guiding it?

Payton: Fortalice Solutions is a team of cybercrime fighters. We hunt bad people from behind a keyboard to protect what matters most to nations, business and people. We combine the sharpest minds in cybersecurity with active intelligence operations to secure everything from government and corporate data and intellectual property, to individuals’ privacy and security.

At Fortalice, our strengths lie in studying the adversary and outmaneuvering them with our human-first, technology-second approaches.

TNW: How have attitudes toward women in powerful positions changed — for better or worse — in recent years?

Payton: Although thankfully this is beginning to change, I am typically the only woman in the room — and that was common in banking as well as technology. I had to learn how to stand up for myself and ensure my voice was heard. I’ve had more than my fair share of times when my technical acumen has been discounted because I’m female.

I’ve learned that grace and tact go a long way, and I’m very, very proud to say that my company is nearly dead-equal male/female. We even started an organization called “Help A Sister Up” — you can find us on LinkedIn — that’sdedicated to advancing women in technology and serving as a rallying point for them and their male advocates. We post job openings, interesting articles, avenues for discussion. Please join us!

TNW: What’s your advice to girls and women entering technological fields about whether to seek employment in the private or the public sector? What are some of the pros and cons, particularly from the standpoint of gender equality?

Payton: An April 2013 survey of Women in Technology found that 45 percent of respondents noted a “lack of female role models or [the encouragement to pursue a degree in a technology-related field].”

It’s been proven that professional mentorship and development dramatically increase participation in any given field, so the lack of women in cybersecurity is really a compounding problem — we don’t have enough women in cyber because there aren’t enough women role models in cyber.

While connecting with other women has had its challenges, there are wonderful women in cyber today. Look at Linda Hudson — currently the chairman and CEO of The Cardea Group and former president and CEO of BAE Systems Inc. — shattering the glass ceiling for women behind her. Also, up-and-comer Keren Elazari, a global speaker on cybersecurity and ethical hacker out of Israel.

I’ve been very lucky to work with wonderful, inspiring women in cyber, but I recognize that my exposure might be more than women starting their career. This brings me to my next point: I recommend all cyber practitioners, and especially women, take advantage of all the amazing free tools out there from RSA, TED talks, and even YouTube.

You can watch speeches from veteran cybersecurity professionals about their careers, hear their advice on how to succeed, and learn new skills to keep you competitive in the workplace. Consider free online courses in cybersecurity or popular programming languages like Python. Ask your colleagues to show you their favorite geek gadget or ethical hack.

There are some excellent security frameworks and guidance available for free online, such as the NIST framework, CIS Critical Security Controls, SSAE 16, and discussions on GDPR. Leverage social media to hear what’s on the minds of security experts. You must be a constant student of your profession in this field.